On August 16, 2022, President Biden signed the bipartisan Inflation Reduction Act (IRA) of 2022 into law. The bill includes sweeping legislation to create more incentives for green energy production, storage, and use through federal income tax credits and deductions. The IRA allows government and not for profit entities to cash in on certain credits, and it increases the payroll tax offset election for start-up companies.
Brooks Nelson and Sarah McGregor are joined by Ron Wainwright, Partner in our Tax Credits and Incentives practice, to dive deep into the tax implications that are included in the IRA.
This podcast covered the various tax credits, new and enhanced, for commercial vehicles, monetizing credits, research and development (R&D) for start-up companies, and much more.
The Podcast Covers:
- 2:46 – Extending existing credits
- 8:55 – Introducing a few new credits
- 13:53 – Commercial vehicle credits
- 15:58 – Enhancements and bonuses
- 20:12 – Tax Exempt Entities can monetize credits
- 21:21 – R&D tax credit for start-up companies
- 23:53 – Raising and collecting tax revenues
Related Insights
- Inflation Reduction Act Doubles R&D Tax Credit to Offset Payroll Taxes for Start-Up Businesses
- How Can A&E Firms Take Advantage of New Tax Credits in the Inflation Reduction Act?
View All Tax Beat Podcasts
HOST: LAUREN ROSS: Welcome to the Risk and Advisory podcast. I'm Lauren Ross, a senior manager in our cybersecurity practice here at Cherry Bekaert.
HOST: LAUREN ROSS: Today I'm joined by Stephen Morgan, a partner in our cybersecurity practice, and Morgan Hey, a senior manager at Medatlogy Services, which is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services for healthcare organizations.
HOST: LAUREN ROSS: Today we're kicking off a three-part series on AI compliance, and to start we want to jump right into AI compliance frameworks. Stephen, Morgan, thanks so much for joining me.
STEPHEN MORGAN: Thanks, Lauren. Pleasure to be here.
HOST: LAUREN ROSS: Starting with SOC 2. While SOC 2 wasn't originally designed for AI-specific risks, it covers security, privacy, availability, confidentiality, and processing integrity, which are critical for AI governance. Stephen, how can SOC 2 reporting give confidence in AI systems, and what are some practical add-ons that strengthen overall assurance?
STEPHEN MORGAN: SOC reporting—System and Organization Controls—is a reporting framework for organizations to provide transparency on their internal control processes related to the criteria you mentioned.
STEPHEN MORGAN: If a service organization offers SaaS, IaaS, or PaaS and has service-level commitments to customers—such as uptime, security, confidentiality, KPIs, or reporting elements—SOC 2 helps hold the organization accountable for both the design and operating effectiveness of controls that ensure those commitments are met.
STEPHEN MORGAN: SOC 2 is built on COSO, which is a system of reporting for internal control. When evaluating AI risks and governance expectations, you can unpack what's relevant to provide transparency, oversight, and accountability for controls tied to service-level commitments.
STEPHEN MORGAN: The criteria are predicated on points of focus that are broad and customizable, allowing organizations to incorporate third-party criteria such as ISO, NIST, HIPAA privacy and security implications, or other standards.
STEPHEN MORGAN: For AI specifically, SOC 2 should explicitly scope AI use within service-level commitments to ensure the AI is operating securely, reliably, and accurately. If AI supports core commitments—for example, anomaly detection for fraud monitoring—appropriate risk management measures, governance, and controls should be built in.
STEPHEN MORGAN: We would expect to see AI governance represented in the management's system description and in the design and operating effectiveness of controls. That includes commitments to fairness and accuracy, model registries, logging and monitoring, bias testing, drift monitoring, and any human-in-the-loop processes.
STEPHEN MORGAN: Overall, SOC 2 can provide insight into how AI is used, the model type, assumptions, data usage, evidence gathering, and monitoring practices to ensure controls are effective.
HOST: LAUREN ROSS: That leads into my next question. You mentioned AI-specific risks like model bias and drift. Morgan, how can organizations adopt SOC 2 controls to address these risks?
MORGAN HEY: SOC 2 is flexible and comes in many flavors, so organizations should focus on processing integrity and confidentiality as primary criteria.
MORGAN HEY: AI presents an opportunity to advise clients consuming SOC 2 reports about specific controls needed to secure AI components and prioritize processing integrity, including enhanced data validation and data integrity controls beyond traditional processing ecosystems.
MORGAN HEY: A model registry is a practical control that doesn't require significant internal resources but is highly beneficial for addressing AI-specific problems. It documents how data will be used, its source, and who is authorized to access it.
MORGAN HEY: Compounding a registry with other controls helps mitigate model bias and drift. Organizations can include these controls in SOC 2 reports to demonstrate a commitment to accurate, consistent model performance, focusing on processing integrity.
HOST: LAUREN ROSS: Another AI-related standard we want to talk about is ISO/IEC 42001, which I believe was the first AI-specific standard focusing on ethical AI principles, governance, risk assessments, and lifecycle management. Stephen, what distinguishes ISO/IEC 42001 from traditional security standards like ISO/IEC 27001 when it comes to AI governance?
STEPHEN MORGAN: ISO/IEC 27001 has been around for quite some time and is globally accepted for demonstrating maturity in information security management programs. It focuses primarily on safeguarding information and data.
STEPHEN MORGAN: ISO/IEC 42001 is a management system standard designed specifically around governing AI responsibility across its lifecycle. It addresses risks that are unique to AI beyond traditional information security concerns, such as ethical, social, operational, and technical risks.
STEPHEN MORGAN: Like other ISOs, organizations can use the criteria as a benchmark to build programs and pursue certification to demonstrate compliance initiatives.
STEPHEN MORGAN: ISO/IEC 27001 covers threats, vulnerabilities, and security risk to data. ISO/IEC 42001 extends that to ensure AI is fair, trustworthy, explainable, and responsibly governed across design, development, deployment, monitoring, retraining, versioning, and retirement.
STEPHEN MORGAN: You will see roles for AI risk owners and continuous monitoring built into an AI management system. Monitoring is critical because AI systems can lose transparency if not designed with appropriate monitoring behaviors.
STEPHEN MORGAN: The standard captures how you retrain models when bias or drift emerges and how you version and retire models as they evolve. The intended use of AI under ISO/IEC 42001 emphasizes responsibility, safety, fairness, and explainability.
STEPHEN MORGAN: For example, with patient healthcare data, ISO/IEC 27001 expectations ensure data is safeguarded and access controlled, while ISO/IEC 42001 adds requirements that diagnostic AI models be accurate, unbiased, explainable, monitored for drift, and retired appropriately.
HOST: LAUREN ROSS: How does ISO/IEC 42001 operationalize ethical principles in AI development and deployment?
MORGAN HEY: ISO/IEC 42001 serves as a north star for organizations entering the AI space by providing guidance and structure to address ethical and social dilemmas.
MORGAN HEY: It forces organizations to evaluate fairness, transparency, and accountability in models and datasets, which may not be intuitive for teams without a data science background.
MORGAN HEY: The standard promotes a risk-based approach that focuses on data acquisition, including protocols and procedures for sourcing and transforming data, and checks to prevent issues like model poisoning or data inversion.
MORGAN HEY: Ultimately, ISO/IEC 42001 helps organizations prevent outputs that are unreliable or biased and mitigates significant reputational and liability risks, especially in sectors like healthcare and financial services where model outputs can have real-world impacts.
MORGAN HEY: ISO was one of the first standards to surface these issues and provides a structured first step for organizations to address ethical and social concerns in AI systems.
HOST: LAUREN ROSS: How do regulations like GDPR and HIPAA intersect with AI compliance, especially in data-intensive use cases?
STEPHEN MORGAN: There is significant overlap. Frameworks and regulations such as GDPR and the HIPAA Security Rule set baseline requirements for securing systems and personal data, which apply to AI systems consuming personal data at scale.
STEPHEN MORGAN: Many AI systems require large volumes of data to function effectively. Organizations handling personal health information or other personal data must align AI-specific controls with HIPAA, GDPR, and local regulations, because consuming that data creates legal obligations and potential liability.
STEPHEN MORGAN: For healthcare organizations, adherence to HIPAA is mandatory. Noncompliance can lead to significant penalties, and for GDPR, penalties can be substantial if operating in the European context.
STEPHEN MORGAN: The AI data pipeline and acquisition processes introduce additional opportunities for failure, so organizations need assurance mechanisms and internal monitoring to manage these risks.
HOST: LAUREN ROSS: Stephen, Morgan referenced tokenization. Can you expand on how tokenization and other technologies help protect identifiers while enabling model training?
STEPHEN MORGAN: Tokenization, anonymization, and pseudonymization are critical techniques to enable training and model development while protecting personal identifiers. These approaches allow organizations to maintain model accuracy and operational guardrails while minimizing exposure of sensitive data.
STEPHEN MORGAN: Implementing these techniques within an AI governance framework such as ISO/IEC 42001 helps organizations balance utility and privacy while meeting regulatory requirements.
HOST: LAUREN ROSS: Steve, can you walk us through how the NIST AI Risk Management Framework complements frameworks like ISO/IEC 42001?
STEPHEN MORGAN: The NIST AI Risk Management Framework provides risk management guidance to help organizations identify, map, measure, and manage AI risks. It is a tactical, flexible runbook for executing control mitigations at a granular level.
STEPHEN MORGAN: ISO/IEC 42001 provides governance across the AI lifecycle, while NIST offers tactical workflows for specific AI risks. Combining them offers governance plus prescriptive risk-management tactics.
STEPHEN MORGAN: In addition, the OWASP Top 10 for LLMs provides prescriptive technical controls for large language models, similar to OWASP Top 10 for web application security. Integrating OWASP guidance with NIST and ISO frameworks helps embed safeguards into development and the SDLC rather than treating them as an afterthought.
STEPHEN MORGAN: Pulling multiple frameworks together allows organizations to govern AI systems at appropriate levels and tailor discussions to technical developers as well as broader business and operational risk communities.
HOST: LAUREN ROSS: Morgan, you mentioned HITRUST earlier. In addition to NIST CSF, what role do HITRUST and NIST CSF play in multiframework environments?
MORGAN HEY: HITRUST and NIST CSF are more agnostic, baseline frameworks, while AI-specific frameworks focus on the unique aspects of AI risk. Organizations often align with one or the other based on obligations or client requirements.
MORGAN HEY: In healthcare, initiatives like 405(d) and the Cybersecurity Performance Goals have influenced organizations to adopt NIST CSF. Many organizations pursue HITRUST because clients require it, driving certification.
MORGAN HEY: Organizations frequently need to satisfy multiple frameworks, which creates audit burden. Control harmonization—mapping controls across frameworks—can reduce that burden.
MORGAN HEY: Toolkits and automation platforms such as Drata and Vanta can help automate compliance tasks and make harmonization more manageable.
MORGAN HEY: If your organization already meets many controls under ISO/IEC 27001, HITRUST, or NIST CSF, those security baselines get you most of the way toward AI readiness. The primary deltas to address are bias, data validation, and data integrity.
MORGAN HEY: Standards are evolving to bridge gaps, but organizations must plan and leverage harmonization between frameworks when possible.
HOST: LAUREN ROSS: Thank you, Morgan. Thank you, Stephen, for joining me. Thank you all for tuning in to the Risk and Cybersecurity podcast.
HOST: LAUREN ROSS: Don't forget to subscribe and join us next time as we speak more with Stephen Morgan on the drivers of AI compliance and strategic options.
